[openstack-dev] [Keystone] Admin or certain roles should be able to list full project subtree

Jeremy Stanley fungi at yuggoth.org
Thu Mar 16 13:07:43 UTC 2017

On 2017-03-15 13:46:42 +1300 (+1300), Adrian Turjak wrote:
> See, subdomains I can kind of see working, but the problem I have with
> all this in general is that it is kind of silly to try and stop access
> down the tree. If you have a role that lets you do 'admin'-like things
> at a high point in the tree, you inherently always have access to the
> whole tree below you.
> Really if you don't want someone to access or know about
> 'secret_project_d' you make sure 'secret_project_d' is in a totally
> unrelated domain from the people you are trying to hide it from.

I have to agree on these points; any attempt to build a feature
intended to hide resources from the same groups who delegate the
permission to create them is 1. misguided, and 2. probably entirely
futile. It will ultimately get treated as a feel-good control with
no actual teeth, as well as a hindrance to people who end up working
around it by adding and removing permissions for themselves so they
can see/manage stuff which would otherwise be hidden from them.

If this makes it in as a supported option, I can't begin to imagine
the embarrassing security holes you'll end up having to squash all
over the place where information about "hidden" resources gets
leaked through side channels in other services (telemetry,
monitoring, basic math on aggregate quotas, et cetera).
Jeremy Stanley

More information about the OpenStack-dev mailing list